MDM cloud is SaaS version of the MDM on-premises version. With MDM cloud, all you have to do is register the product and you are all set to manage the mobile device. The data and server configuration is managed by Zoho. Whereas in the case of the on-premises version you have to install the application and configure along the network setup to manage the mobile devices.
There is almost no difference in the feature set that is offered with MDM.
Ensure that the following ports are open in the proxy/firewall.
|9020||HTTP||ME MDM app and server communication.||Inbound to Server|
|9383||HTTPS||ME MDM App and server communication.||Inbound to Server|
|443||HTTPS||Should be open on Mobile Device Manager Plus server to reach APN, FCM, WNS server.
Host address: Host address: https://login.live.com; https://*.notify.windows.com; android.com; android.googleapis.com; www.google.com; android.clients.google.com; *.googleapis.com; play.google.com; google-analytics.com; googleusercontent.com; gstatic.com; *.gvt1.com; *ggpht.com; dl.google.com; accounts.google.com; gcm-http.googleapis.com; fcm.googleapis.com; fcm-xmpp.googleapis.com; pki.google.com; clients1.google.com; clients[2...6].google.com
Open the following domains based on the country that the server is located:US : gslb.secb2b.com; us-elm.secb2b.com; us-knox.secb2b.com;
China : china-gslb.secb2b.com.cn ;china-elm.secb2b.com.cn; china-knox.secb2b.com.cn
Asia, Africa, Europe, or other regions : gslb.secb2b.com; eu-elm.secb2b.com; eu-knox.secb2b.com;
|Outbound to Server|
|2195||HTTPS||Should be open on Mobile Device Manager Plus server to reach APNs.
Host address: gateway.push.apple.com
|Outbound to Server|
|5223||HTTPS||Should be open, if the mobile device connects to the internet through the corporate Wi-Fi, it is recommended to configure the IP in the range 126.96.36.199/8.||Outbound from Corporate Network Firewall|
|5228, 5229, 5230||HTTPS||For FCM to reach the managed mobile device.
Host address: https://android.com; play.google.com; android.clients.google.com; www.google.com; googleapis.com; android.googleapis.com; gstatic.com; google-analytics.com; googleusercontent.com; *.gvt1.com; *ggpht.com; dl.google.com; fcm.googleapis.com; fcm-xmpp.googleapis.com; gcm-http.googleapis.com; gcm-xmpp.googleapis.com
As FCM doesn't provide specific IPs, you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 1516.
|Outbound from Corporate Network Firewall|
|5235,5236||HTTPS||For Firebase Cloud Messaging (eg. EMM-DPC communication). Host address: https://gcm-xmpp.googleapis.com; gcm-http.googleapis.com; android.googleapis.com||Outbound from Corporate Network Firewall|
Also, ensure Mobile Device Manager Plus server has adequate permission(s) to contact the domains listed here.
Both the MDM server and the device to be enrolled in MDM must have access to the following domains, which are to be excluded/white listed in firewall and/or any third-party filters.
To identify the domains which are not reachable by the MDM server, click here
The domains which the MDM server is unable to reach are specified within the product. To view the these domains, follow the given instructions
NOTE : Entering the domain URLs in the browser address bar does not provide the reachability of the same.
Ports such as 5223, 5228, 5229, and 5230 should be open if the mobile device connects to the internet through the corporate Wi-Fi. If the managed devices connect through the cellular data network, this requirement is not necessary (HTTPS port).
No, the devices need not be factory reset(unless specified otherwise) to be enrolled and managed by MDM.
Currently, the following software platforms are managed by MDM:
MDMP currently supports pgSQL and MS-SQL.
No, MDM doesn't support migration from Cloud to On-Premises. Everything from uploading APNs, enrolling devices to distributing apps and/or profiles has to be done again for MDM On-Premises.
No, you do not require an Apple Developer Account to manage the iOS devices using Mobile Device Manager Plus.
ME MDM app consumes network data and battery only for downloading apps pushed to the device, with the data consumed depending on the size of the app. Other actions consume negligible network data. Additionally, the consumption varies in case of geo-tracking based on the accuracy level specified.
If the device is CDMA activated, then the IMEI contains only 14 digits and is referred as MEID. You can check the IMEI of your device by dialing *#06#.
For a device to utilize Android for Work(AfW)-based features and configurations, the OEMs(Original Equipment Manufacturers) must provide support for the same on the devices. If AfW support is not provided for a specific device model by the OEMs, they cannot support Android for Work and hence, features requiring the device to be provisioned as Profile Owner/Device Owner cannot be pushed to the device. Some of the devices supporting Android for Work are listed in these links - link #1, link #2 and link #3.
If there is an app update available, ME MDM app is silently updated in Non-Samsung devices running 6.0 or later versions, provisioned as Device Owner and all Samsung devices. For other devices, a notification stating the same is displayed in the managed device and the user has to manually update the app. App updates are usually made available when there is a build update for MDM On-Premises or on a monthly basis(approx.) in case of MDM Cloud.
To avoid using invites, you can prefer Self Enrollment, where the users enroll the devices themselves and Admin enrollment. Admin enrollment as the name suggests, is a type of enrollment where the enrollment process is carried out by the Admin. The other advantage with Admin enrollment, is that the process is automated, requiring minimum user intervention and/or admin action. MDM supports the following types of Admin enrollment for Android:
The following types of Admin enrollment is supported in iOS:
You can compile the Android logs from the device, either using MDM app or without using MDM app and mail it to MDM Cloud support team(email@example.com)
The other option is to send the logs directly from the MDM app. Open the MDM app, click on the horizontal blue bar at the top 5 times.
Provide logs@memdm as password and then specify the issue details. Click OK to send the logs.
You can compile the iOS logs from the device, using MDM app and mail it MDM Cloud support team(firstname.lastname@example.org)
MDM provides you with a 30-day trial of the Professional Edition, where you can manage unlimited devices and add unlimited additional technicians. Once the 30-day trial expires, you can either extend you trial, purchase the product or move to Free edition. After trial expiry if you move to the Free edition, you are allowed to choose the devices(up to 25) that you want to manage. All the apps and profiles distributed to these devices as well as other configurations associated to the selected devices are retained. Free Edition is similar to Trial edition except that Free Edition allows a maximum 25 devices to be managed and no additional technicians can be added.
When trying to sign up, you encounter an error stating you are part of another organization such as "Access denied for this service. Please contact your Org (<org_name>) administrator [email@example.com], it implies you are already a registered user as your organization has registered for Zoho Services. There is a super admin assigned for Zoho Services, who is the only who can sign up for any other Zoho service including MDM Cloud. If the super admin has signed up for Zoho services, you may request the super admin to add yourself as a technician to use MDM Cloud. In case you want to try MDM Cloud, you can use an alternate e-mail address to sign up and use the service. If you get redirected to https://mdm.manageengine.com/enroll.do, then you may request the super admin to add yourself as a technician to use MDM Cloud.
For iOS device management, the Apple IDs are used by both the organization and the users. The organizations Apple ID should preferably be mapped to the organization and not any individual in the organization. While the user's Apple ID is mapped to the individual device user.
Following are the services that make use of the organization's Apple ID-
NOTE: It is recommended to only make use of the organization's corporate Apple ID for the above mentioned services, as they all require the same Apple ID to be used during renewal.
The user's Apple ID can be used for the following-
In case of iOS and Windows devices, Mobile Device Manager Plus leverages the native MDM client already available in all the devices. The agent is required only to perform the following-
Whereas, in case of Android devices, an ME MDM app is required to manage mobile devices. The installation of the app is taken care of during the enrollment process.
Mobile Device Manager Plus has 2 editions that help the users pick the features that are required for their organizations. The standard edition is recommended for organizations that are looking for basic MDM capabilities like App management, Device Management, and Asset Management. The professional edition gives the oganizations advanced management capabilities over their mobile devices. Some of the additional features available in the professional edition include- Geo tracking, Conditional Exchange Access, and Content Management. For a complete comparison between the two editions, refer this edition comparison matrix.
If the device is enrolled with MDM, it has to be deprovisioned before being removed from the server. On the MDM console, open the Enrollment tab and click on the ellipsis button under the Action column, corresponding to the device to be removed from management. Now, click on Deprovision. The device will be moved to Staged tab from where it can be deleted using Remove Device option. If the device is offline or if it has already been unmanaged, it can be directly removed from the MDM server.
The admin can choose to deprovision the device to revoke MDM Management using the following options:
Repair Device, Employee left organization and Retire Device factory resets the device whereas under Others, the admin can choose between a Complete Wipe and a Corporate Wipe.
When the Complete Wipe option is chosen during deprovision, the device is factory reset resulting in the removal of all content and settings. When the Corporate Wipe option is chosen during deprovision, the consequences are as follows:
|Android||Device Owner, Core Android and Samsung devices||On device deprovision, all the associated profiles are automatically removed without uninstalling the formerly distributed apps.|
|Profile Owner||The complete work profile is removed resulting in the removal of every policy, app, and content distributed via MDM.|
|Apple||On deprovision, all the associated profiles, apps and distributed content are removed from the device. The ME MDM app is also removed if Remove app on MDM Profile Removal option was checked at the time of adding it to the App Repository.|
|Windows||On deprovision, all the associated profiles, apps and distributed content are removed from the device. All configurations in Company/Workspace are cleared for devices running Windows 8.1 and above.|
NOTE: If a passcode policy is associated with the device, only the policy is removed and the passcode remains on the device on deprovision.
MDM secures the communication between the managed devices and the server using SSL certificates. Importing third party SSL certificates signed by a valid Certificate Authority secures the communication by encrypting it. Upon importing valid certificates, the user need not manually trust them while accessing the MDM server. The user can hence, securely access the server without the warning message.
If the admin who created the account on MDM Cloud has left your organization, please contact our Support team at firstname.lastname@example.org. We will transfer the account to a different user. If you have the credentials of the admin who created the account, you can login to the product and transfer the administrator privilege to a new user by following the steps given here.
If the device has SIM slot, then MDM can display the IMEI. In case you've enrolled iPads that do not have SIM slots, the IMEI cannot be obtained and thus, not displayed by MDM.
The prerequisites for enrolling a mobile device are:
End user should have the following for self enrolling a device.
No, You need not re-enroll the managed mobile devices, because the mobile devices will reach the Mobile Device Manager Plus server using the external IP.
If the issue is not still not fixed, contact MDM Cloud support(email@example.com)
In case you need to make a secondary e-mail address as primary, click on the mail icon present against the mail address. This makes the selected e-mail address as primary.
In case multiple teams(referred henceforth as org) in your enterprise use any Zoho service, follow the instructions specific to your scenario.
If this page is displayed when trying to enroll a device, ensure your accessing the appropriate enrollment URL from the device to be enrolled.
If this page is displayed when trying to access MDM Cloud, ensure your MDM Cloud admin has added you as a user.
A device enrolled using Apple DEP cannot be unmanaged simply by factory resetting the device. To unmanage this device, we first need to remove the device from the DEP server and then reset the device in Recovery Mode.
Ensure the following before enrolling devices using Apple Configurator:
Both Supervision as well as Device Owner provisioning lets the Administrator leverage additional control over the managed devices. It can be undone by factory resetting the device.
Mobile Device Manager Plus allows the admins to modify the username and email address associated with enrolled devices without having to re-enroll the devices. To modify the associated credentials follow the steps given below:
Modifying the user details will reassign the account based profiles to the new email address.
iOS 11 and above devices can be enrolled into DEP using Apple configurator, even if they aren't purchased directly from Apple or authorised resellers. Follow the steps given in this document to enroll these devices.
This error is usually encountered when you have enrolled iPhones previously using Apple Configurator. In case of iPhones, Apple Configurator fetches the IMEI and thus, in case of iPads it tries to fetch the IMEI(which is not available for iPads) and shows an error. In such cases, you can factory reset the device using Apple Configurator and retry the process.
When the third party SSL (Secure Sockets Layer) certificates are not imported to the server, the communication between the MDM server and the ME MDM app is not secure. To establish a secure connection, the user has to manually trust the certificates during MDM profile installation. To automate this, SSL certificates signed by a valid Certificate Authority is to be imported to the MDM server. This will verify the MDM Profile installation during enrollment.
NOTE: The error Not Verified does not alter any of the functionalities offered by Mobile Device Manager Plus.
Mobile Device Manager Plus assures high security through restriction policies. Whenever more than one policy is applied for a same cause, whichever policy provides more security will get applied automatically. For example, assume two restriction policies are assigned to a device, where one is applied to authenticate the usage of camera and the other is to restrict the usage of camera, the policy which assures high security will get applied automatically. So the usage of camera will be restricted in the device.
No, passcode policy that is forced on the mobile device cannot be revoked by the user. Though users can disable passcode settings on their device, users will be forced to set passcode when the device is unlocked. However if MDM profile is removed from the device the device can no longer be managed by Mobile Device Manager Plus.
Policies and Restrictions which are applied successfully to the managed mobile device are called imposed policies.
Administrator instructs the users to accept the Policies and Restrictions which are pushed to the device. When the user over rules the policies and restrictions, then those policies and restrictions are called as violated policies.
Idle timeout before device lock specifies the time allowed for the device before the screen turns off. This is similar to the settings that can be configured in the device (Settings > General > Auto Lock). Grace period for device lock refers to the time allowed for the user before prompting for a passcode. The screen of the device turns off and when the user slides the arrow to unlock the screen he would be prompted to enter his passcode. This is similar to the settings that can be configured in the device (Settings>General>Passcode Lock).
No, Apple doesn't permit MDM solutions to restrict OS updates. However, MDM provides a workaround to prevent OS updates as explained here.
Restricting users from changing the date and time settings on devices is not permitted by Apple. Mobile Device Manager Plus can restrict the user from accessing any settings by running the device in Kiosk Mode where the device has access only to one app. Another method that can be used is, by ensuring the required apps are dependent only on the network date and time and not the device date and time.
In case of iOS devices, the settings can be restricted by disabling the individual settings under Restriction in Profiles. For Android devices, the Settings app can be disabled by disabling the option "Modify default device settings" under Restrictions in Profiles.
In addition to these methods, user can be prevented from changing any settings by running the device in Single App Kiosk Mode.
You can make use of the CardDAV profile to distribute contacts to the managed devices. Here you can make use of Google contacts or any other third party service that supports CardDAV.
You can restrict users from modifying accounts on the devices by navigating Device Management -> Profiles -> Restrictions -> Advanced Security and restricting the Modify Account Settings option.
The user will not be able to modify accounts like mail accounts, iCloud and iMessage settings. If you want to completely restrict iCloud, then navigate to Profiles -> iCloud and restrict it. This will completed restrict the apps from syncing with iCloud and also the device backup on iCloud.
Yes, you can configure E-mail, Wi-Fi and other essential settings(such as VPN, Exchange etc.,) across platforms on MDM server and then associate it to groups. Devices added to this group on enrollment, are automatically distributed the configured policies and thus, getting pre-configured on device. Know more about all the policies supported by iOS, Android and Windows in MDM.
With iOS 11, Apple released a feature that allowed users to share the wi-fi credentials to new devices by bringing two devices running iOS 11 close to each other. Though this feature is useful and allows easy access to personal wi-fi, it can cause problems in corporate scenarios. That is why Apple ensured that any wi-fi distributed through a mobile device management solution cannot be shared to others using wi-fi sharing. Therefore, any wi-fi preconfigured using Mobile Device Manager Plus cannot be shared to other users using wi-fi sharing feature.
Users can be allowed to make phone calls and access contacts from Android devices in kiosk mode by adding the respective apps to the kiosk profile. Samsung and other Android devices make use of different package names for this app and hence it is recommended to search for the apps using the following bundle identifiers.
Admins can automatically blacklist inappropriate or malicious content by enabling the checkbox Automatic restriction of malicious content or Automatically restrict inappropriate content under Web Content Filtering for Android and iOS device profiles respectively.
Case 01: The admin configures an Email based profile and another profile which restricts Add/modify iCloud, Mail and other accounts, using MDM. On associating these profiles, the user is prompted to provide the email password while performing the initial setup. In case the user closes this prompt before providing the password, it cannot be configured unless the Email profile is re-associated with the device.
Case 02: Similarly, both the profiles are associated with an iOS device and the Mail account is successfully configured during the initial setup. When the password expires, the device does not prompt/allow the user to change it. The workaround is to re-associate the Email profile to the device, since Apple has not provided any solution.
App Store apps are those which are available in the App Store. They can be either paid App or free app. Enterprise apps, also called as In-House apps are specially developed and designed for every Enterprise. This is unique and completely owned and distributed by the Enterprise itself.
You can restrict App Store on managed devices, by creating a profile and navigating to Restrictions -> Applications and restricting Users can install apps from App Store. This ensures only apps distributed through MDM can be installed on the device(must be running iOS 9.0 or later versions). If this is restricted for devices running other OS versions, even MDM-distributed apps cannot be installed on the device.
Volume Purchase Program(VPP) is used for purchasing app licenses in bulk and distributing the same to user either through managed distribution or redemption codes. Know more about Volume Purchase Program here.
'APK' refers to application package file. Android program files are compiled in a package as .apk file, which is used for distributing the apps. When you need to add an android App to the App Repository you need to ensure that the android app is in .apk format.
Mobile Device Manager Plus app distribution is designed in such a way that you can only distribute iOS apps to iOS devices, Android apps to Android devices and Windows apps to Windows devices.
Device Administrator should be enabled in the Android mobile device to authenticate Mobile Device Manager Plus Mobile Device Management to perform remote management activities in the device.
App Store apps can be installed without entering Apple ID, as explained here.
Yes, with the help of iOS app license management feature in VPP, Mobile Device Manager Plus will let you to revoke and reassign app licenses to the required user device.
If the APNs certificate has expired, Apple Push Notification service will not be able to contact the managed mobile devices. Renewing an APNs after expiry is the same as creating new APNs, which means all the devices need to be enrolled again to be managed. Assume that the APNs expires on 30th of June, you need to ensure that you renew your APNs well before the expiry date and update it in the Mobile Device Manager Plus server. All the managed mobile devices should contact Mobile Device Manager Plus server at least once before 30th of June. If any of the managed mobile device fails to contact the Mobile Device Manager Plus server, then those devices should be enrolled again. Hence we recommend renewing APNs before a month of its expiry.
Yes, the user has to enter the Apple ID to install the apps. To install apps silently or without requiring Apple ID, refer to this.
For mobile devices running Windows 8 and 8.1, the steps to perform App distribution:
AET refers to Application Enrollment Token. The Windows Phone 8 operating system requires users to enroll each device with the enterprise before users can install company applications on their devices. Only way to achieve this is using Application Enrollment Token, which enables you to distribute enterprise applications on a Windows Phone 8 device. For more information visit help.
Work profiles are installed when Android devices are provisioned as Profile Owner using Android for Work. To verify whether Work profile has been installed in the device, go to Settings, and select Accounts. Work profile is listed under the Work section.
In Android devices running 5.0 or later versions, go to Settings, click on Accounts and select Remove work profile. Click on Delete to confirm the removal of all apps and data within the work profile.
Once a device is put into Single App Mode, no permission prompt will be generated. This means that the app cannot access any other features that use camera, contacts, or location services. The admin should allow these settings before putting the device into Single App kiosk.
Follow one of the given methods to distribute enterprise apps using Mobile Device Manager Plus:
When a VPP token is removed from a server, the licenses used to distribute the apps will be reverted to your account. When you use this token on another server, the licenses can be used to distribute the apps to the devices.
It is not possible to use the same VPP token on multiple MDM server, as each MDM server manages the complete set of licenses purchased with the token. This results in the MDM server revoking the licenses of the apps distributed to devices and also removes the apps from the devices.
We can prevent the installation and uninstallation of apps from devices by applying a few restrictions to devices.
Yes, you can install enterprise apps silently on Android devices as explained here
Yes, you can stop and/or control app updates on managed iOS devices, if the apps are distributed and installed on the devices through VPP. Also, ensure Without Apple ID is selected during the initial VPP settings. This allows the app to be installed without requiring Apple ID and the app gets associated to the device instead of Apple ID, which is how it is usually associated. As the app is not associated with the Apple ID present on the device, the App Store doesn't notify the users of possible app updates, when distributed through MDM. You can choose to force app updates on the device as explained here
This is an issue on particular models of Xiaomi devices. If you're unable to distribute enterprise apps to Xiaomi devices, follow the steps given below:
Yes, you can remove apps present on the devices, by blacklisting them as explained here
The ME MDM app on the Android devices creates an app shortcut when the app is installed on the devices. In most cases the user has enabled the Add icon to Homescreen option in Google PlayStore. This creates another shortcut on the devices. Sometimes, even when the app is updated the existing shortcut is not replaced with a new one, resulting in multiple app shortcuts.
To avoid creation of multiple shortcuts, the user should disable the Add icon to Homescreen option from PlayStore by navigating to Playstore->Settings->Add icon to Homescreen.
Yes, you can choose to completely lock down the device by preventing users for installing/uninstalling apps and ensure only apps distributed via MDM is installed on the device. To lock the device to specific app(s)/settings, you can use Kiosk mode.
This is due to staged rollouts of app updates on the Google Play store. An app developer can release updates only to a percentage of devices, which are chosen randomly. Click here for more information on staged rollouts.
Only the app versions which have completely rolled out (100%) are added to MDM. For example, say a staged rollout for an app is released for 20% of the devices. If the device falls into this category at the time of distributing the app via MDM, this issue of different app versions occurs. The app installed on the device will be of the latest version (The latest rollout), and the MDM server will have the previous version which has completely rolled out.
For apps developed using Google Play's multiple APK support (Listed as "Varies with device"), different APKs are targeted for different device configurations. Each APK of the app is an independent version, but they share the same app listing on Google Play. This might again display different app versions on the server and the device, based on the device type.
"Bring Your Own Device" (BYOD) being the integral part of Mobile Device Manager Plus, you can ensure the security of corporate data. Whenever any user's personal device is lost, or the employee quits an organization, administrators can execute security commands like corporate wipe or complete wipe to ensure data security. Hence Mobile Device Manager Plus MDM is a smart choice for every enterprise to manage BYOD.
Corporate wipe is a security command used to wipe data on the device. This security command is mostly used to secure the corporate data from devices, when they are lost. Corporate Wipe is used to remove only the configurations and Apps that have been pushed using Mobile Device Manager Plus and this command will not wipe any personal data of the user.
Corporate Wipe will remove Exchange Server or Email only, if they are configured via Mobile Device Manager Plus. This includes, the files and documents shared using the corporate e-mail.
Complete wipe command is used to wipe all in the data in the device, which makes the device as good as a new.
Yes, you can wipe data on the device's external memory.
You can secure corporate data on mobile devices by applying the following restrictions:
These restrictions will help you to secure Corporate data on mobile devices.
Mobile Device Manager Plus allows admins to remotely control Samsung, Sony and Lenovo devices running android 5.0 and above. Remote viewing capability is available for other Android devices above 5.0 and iOS devices.
You can associate users to either pre-defined roles or create roles and associate them. Additionally, you can modify the users, their roles and even delete them. Know more about user management here
It is to be noted the Super Admin of all the Zoho services are changed, when this is done.
To delete you MDM account, go to the MDM web console and click on Admin tab from the top menu. Now, select Company Details and click on Delete Account. Follow the on-screen instructions to removed your MDM account.
This is a pay-as-you-go Service and can be mended as and when you need. Additionally, you can also purchase offline(Non-Store) by mailing to firstname.lastname@example.org.
Payments are securely done using Zoho Store. MDM Cloud supports payment via Visa, MasterCard, American Express and PayPal. You can also purchase offline(Non-Store), by mailing to email@example.com.
For changing payment method from offline(purchasing licenses by mailing to firstname.lastname@example.org) to online,
You can also change the billing address here as well. All your confidential data is secured using VeriSign.